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Abstract 

This  paper  defines  a  framework  in  which  one  can  formal¬ 
ize  a  variety  of  authorization  and  policy  issues  that  arise  in 
access  control  of  shared  computing  resources.  Instantia¬ 
tions  of  the  framework  address  such  issues  as  privacy,  re¬ 
cency,  validity,  and  trust.  The  paper  presents  an  efficient  al¬ 
gorithm  for  solving  all  authorization  problems  in  the  frame¬ 
work;  this  approach  yields  new  algorithms  for  a  number  of 
specific  authorization  problems. 


1  Introduction 

The  main  issues  in  access  control  of  shared  comput¬ 
ing  resources  are  authentication,  authorization  and  enforce¬ 
ment.  Identification  of  principals  is  handled  by  authen¬ 
tication.  Authorization  addresses  the  following  question: 
should  a  request  r  by  a  specific  principal  K  be  allowed? 
Enforcement  addresses  the  problem  of  implementing  the 
authorization  during  an  execution.  In  a  centralized  sys¬ 
tem,  authorization  is  based  on  the  closed-world  assumption, 
i.e.,  all  authorized  parties  are  known  and  trusted.  In  a  dis¬ 
tributed  system  where  all  the  parties  are  not  known  a  pri¬ 
ori,  the  closed-world  assumption  is  not  applicable.  Trust 
management  systems  [9]  address  the  authorization  problem 
in  the  context  of  distributed  systems  by  requiring  that  au¬ 
thorization  and  access-control  policies  be  defined  explic- 
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itly,  using  an  appropriate  specification  language,  and  re¬ 
lying  on  an  algorithm  to  determine  when  a  specific  re¬ 
quest  is  allowable.  A  survey  of  trust  management  sys¬ 
tems,  along  with  a  formal  framework  for  understanding 
them,  is  presented  in  [49].  Several  trust  management  sys¬ 
tems,  such  as  Binder  [18],  Keynote  [8],  Referee  [15],  and 
SPKI/SDSI  [19],  have  been  proposed.  Our  work  is  pre¬ 
sented  in  the  context  of  SPKI/SDSI,  but  several  aspects  of 
the  approach  should  carry  over  to  other  trust  management 
systems  and  authorization  frameworks. 

In  SPKI/SDSI,  principals  are  the  public  keys,  i.e.,  the 
identity  of  a  principal  is  established  by  checking  the  valid¬ 
ity  of  the  corresponding  public  key.  In  SPKI/SDSI,  name 
certificates  define  the  names  available  in  an  issuer’s  local 
name  space;  authorization  certificates  grant  authorizations, 
or  delegate  the  ability  to  grant  authorizations.  The  fun¬ 
damental  problem  in  SPKI/SDSI  (or  any  other  trust  man¬ 
agement  system)  is  the  authorization  problem  (AP),  which 
is  defined  as  follows:  given  a  security  policy — which  in 
SPKI/SDSI  is  represented  by  a  set  of  name  and  authoriza¬ 
tion  certificates — can  a  principal  K  access  resource  R1 

Certificate-chain  discovery  refers  to  the  problem  of  find¬ 
ing  a  “proof”  that  K  can  access  resource  R.  (In  the  case  of 
SPKI/SDSI,  a  proof  is  a  chain  of  certificates.)  If  found,  the 
proof  can  be  presented  by  K  to  R.  R  checks  the  validity 
of  the  proof,  and  if  the  proof  is  valid,  K  is  allowed  access 
to  R.  Therefore,  algorithms  for  certificate-chain  discovery 
can  also  be  used  in  frameworks  such  as  proof-carrying  au¬ 
thorization  [3].  An  efficient  certificate-chain-discovery  al¬ 
gorithm  for  SPKI/SDSI  was  presented  by  Clarke  et  al.  [16]. 
An  improved  algorithm  was  presented  by  Jha  and  Reps  [24] . 
The  latter  algorithm  is  based  on  translating  SPKI/SDSI  cer¬ 
tificates  to  rules  in  a  pushdown  system.  In  [24]  it  was  also 
demonstrated  how  this  translation  enables  many  other  ques¬ 
tions  to  be  answered  about  a  security  policy  expressed  as  a 
set  of  certificates. 

In  this  paper,  we  generalize  the  pushdown-systems  ap¬ 
proach  to  enable  it  to  address  important  security-policy  is¬ 
sues  such  as  privacy,  recency,  validity,  and  trust.  For  in¬ 
stance,  consider  the  following  authorization  example:  sup¬ 
pose  that  company  X  provides  additional  insurance  to  cover 
prescription-drug  expenses  that  are  not  covered  by  a  pa¬ 
tient’s  health-maintenance  organization  (HMO).  For  exam- 
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pie,  the  HMO  might  have  a  very  high  deductible  for  drugs, 
which  will  be  covered  by  the  additional  insurance.  How¬ 
ever,  company  X  only  wants  to  provide  this  service  to  pa¬ 
tients  of  a  certain  hospital  H.  For  Alice  to  be  able  to  buy 
insurance,  she  needs  to  prove  to  X  that  she  is  a  patient  of 
H.  Suppose  that  there  are  two  certificate  chains  that  prove 
that  Alice  is  a  patient  of  H,  where  one  reveals  that  Alice 
is  a  patient  in  the  internal-medicine  clinic  and  the  other  re¬ 
veals  that  Alice  is  a  patient  in  the  AIDS  clinic.  For  obvious 
reasons  Alice  will  prefer  to  use  the  former  chain.  In  other 
words,  Alice  prefers  a  certificate  chain  that  reveals  the  least 
amount  of  information  about  her.  Such  privacy-related  is¬ 
sues  can  be  addressed  in  our  generalized  framework. 

In  the  context  of  SPKI/SDSI,  assume  that  we  are  given 
a  metric  //  on  certificate  chains,  and  hence  on  proofs  of  au¬ 
thorization.  The  details  of  the  metric  depend  on  the  spe¬ 
cific  issue  being  addressed.  In  the  generalized  authoriza¬ 
tion  problem  (GAP)  we  are  given  a  principal  I\ ,  a  set  of 
name  and  authorization  certificates  C,  a  resource  R,  and  a 
metric  p  on  certificate  chains.  The  question  that  GAP  ad¬ 
dresses  is  the  same  as  AP — i.e.,  given  C,  is  K  authorized  to 
access  resource  R1 — however,  an  authorization  proof  that 
solves  a  GAP  minimizes  or  maximizes  the  given  metric  (de¬ 
pending  on  the  application).  We  demonstrate  that  several 
security-policy  issues  in  trust  management  systems  can  be 
cast  as  GAPs  with  appropriate  metrics.  In  particular,  we 
demonstrate  how  an  extension  of  pushdown  systems,  called 
weighted  pushdown  systems,  can  be  used  to  solve  such  gen¬ 
eralized  authorization  problems. 

The  algorithm  for  solving  GAPs  can  be  thought  of 
as  a  generalization  of  the  certificate-chain-discovery  algo¬ 
rithm.  The  general  strategy  is  as  follows:  the  set  of  labeled 
SPKI/SDSI  certificates  is  first  translated  to  a  weighted  push¬ 
down  system. 1  After  the  translation,  the  answer  is  obtained 
by  solving  a  generalized  shortest-path  problem  [27, 46,  34]. 

The  main  contributions  of  the  work  reported  in  the  paper 
are  as  follows: 

•  The  GAP  framework.  We  define  the  generalized  au¬ 
thorization  problem  and  show  how  versions  of  several 
types  of  security  issues  related  to  authorization  can  be 
handled  in  the  GAP  framework. 

•  An  efficient  algorithm  for  solving  GAPs.  We  present 
an  efficient  algorithm  for  solving  GAPs.  This  yields 
several  new  algorithms  for  a  number  of  specific  autho¬ 
rization  problems. 

•  A  prototype  implementation.  The  algorithms  de¬ 
scribed  in  the  paper  have  been  implemented  in  a  library 

1  In  a  GAP,  each  certifi  cate  is  labeled  with  a  value.  However,  a  label 
might  depend  on  some  global  property.  For  example,  for  recency  policies 
a  certifi  cate’s  value  represents  the  time  the  certifi  cate  was  issued,  or  last 
known  to  be  current. 


that  provides  functionality  for  solving  GAPs.  The  li¬ 
brary  has  been  made  available  on  the  Internet  [42]  and 
may  also  be  used  by  third  parties. 

The  remainder  of  the  paper  is  organized  as  follows:  Sec¬ 
tion  2  provides  background  on  SPKI/SDSI.  Section  3  de¬ 
fines  the  GAP  framework  and  discusses  several  possible 
applications  of  it.  Section  4  provides  background  on  push¬ 
down  systems  (PDSs).  Section  5  reviews  the  connection 
between  SPKI/SDSI  and  PDSs.  Section  6  defines  weighted 
PDSs,  and  shows  how  an  analysis  of  the  transition  system 
defined  by  a  weighted  PDS  can  be  used  to  solve  GAPs. 
Section  7  returns  to  the  discussion  of  applications  of  the 
GAP  framework.  Section  8  discusses  related  work.  Ap¬ 
pendix  A  describes  an  enhancement  to  the  algorithm  de¬ 
scribed  in  Section  6  to  generate  witnesses  or  proofs  of  au¬ 
thorization. 

2  Background  on  SPKI/SDSI 

2.1  Principals  and  Names 

In  SPKI/SDSI,  all  principals  are  represented  by  their 
public  keys,  i.e.,  the  principal  is  its  public  key.  A  princi¬ 
pal  can  be  an  individual,  process,  host,  or  any  other  active 
entity.  K,  denotes  the  set  of  public  keys.  Specific  keys  are 
denoted  by  K,  Ka,  Kb,  K' ,  etc.  An  identifier  is  a  word 
over  some  alphabet  S.  The  set  of  identifiers  is  denoted 
by  A.  Identifiers  will  be  written  in  typewriter  font,  e.g., 
A  and  Bob. 

A  term  is  a  key  followed  by  zero  or  more  identifiers. 
Terms  are  either  keys,  local  names,  or  extended  names.  A 
local  name  is  of  the  form  K  A,  where  K  £  1C  and  A  £  A. 
For  example,  K  Bob  is  a  local  name.  Local  names  are  im¬ 
portant  in  SPKI/SDSI  because  they  create  a  decentralized 
name  space.  The  local  name  space  of  K  is  the  set  of  local 
names  of  the  form  Ii  A.  An  extended  name  is  of  the  form 
K  a,  where  K  £  1C  and  a  is  a  sequence  of  identifiers  of 
length  greater  than  one.  For  example,  I\  UW  CS  faculty  is 
an  extended  name. 

2.2  Certificates 

SPKI/SDSI  has  two  types  of  certificates,  or  “certs”: 
Name  Certificates  (or  name  certs):  A  name  cert  provides  a 
definition  of  a  local  name  in  the  issuer’s  local  name  space. 
Only  key  K  may  issue  or  sign  a  cert  that  defines  a  name 
in  its  local  name  space.  A  name  cert  C  is  a  signed  four¬ 
tuple  (A",  A,  S,  V).  The  issuer  IC  is  a  public  key  and  the 
certificate  is  signed  by  IC.  A  is  an  identifier.  The  subject  S  is 
a  term.  Intuitively,  S  gives  additional  meaning  for  the  local 
name  K  A.  V  is  the  validity  specification  of  the  certificate. 
Usually,  V  takes  the  form  of  an  interval  [ti ,  ^2].  he-.  the  cert 
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is  valid  from  time  t ±  to  <2  inclusive.  A  validity  specification 
can  also  take  the  form  of  an  on-line  check  to  be  performed. 
Authorization  Certificates  (or  auth  certs):  An  auth  cert 
grants  or  delegates  a  specific  authorization  from  an  issuer 
to  a  subject.  Specifically,  an  auth  cert  C  is  a  five-tuple 
( AT ,  S,  D,  T,  V).  The  issuer  I\  is  a  public  key,  which  is  also 
used  to  sign  the  cert.  The  subject  S'  is  a  term.  If  the  delega¬ 
tion  bit  D  is  turned  on,  then  a  subject  receiving  this  autho¬ 
rization  can  delegate  this  authorization  to  other  principals. 
The  authorization  specification  T  specifies  the  permission 
being  granted;  for  example,  it  may  specify  a  permission  to 
read  a  specific  file,  or  a  permission  to  login  to  a  particular 
host.  The  validity  specification  V  for  an  auth  cert  is  the 
same  as  in  the  case  of  a  name  cert. 

A  request  r  is  a  triple  (. K',R,T ')  consisting  of  princi¬ 
pals  K'  and  R,  where  R  is  a  resource  that  K'  is  trying  to 
access,  and  an  authorization  specification  T  that  K'  is  try¬ 
ing  to  exercise  on  R.  The  goal  of  certificate-chain  discov¬ 
ery  is  to  prove  whether  the  request  is  valid.  As  described 
in  Clarke  et  al.  [16],  we  remove  all  “useless”  certificates  as 
follows: 

•  Remove  every  name  and  auth  cert  that  has  an  invalid 
validity  specification  (e.g.,  an  expired  validity  specifi¬ 
cation). 

•  Remove  every  auth  cert  C  =  ( K .  S.  I),  T.  V)  for 
which  T  does  not  imply  the  authorization  specifica¬ 
tion  T'  of  the  request. 

In  the  rest  of  the  paper,  we  assume  that  a  request  r  = 
(A'',  R,  T')  is  given  and  the  set  of  certificates  does  not  con¬ 
tain  useless  certificates. 

We  will  treat  certs  as  rewrite  rules: 

•  A  name  cert  ( K ,  A,  S,  V)  will  be  written  as  K  A  — > 
S. 

•  An  auth  cert  (AT,  S,  D,  T,  V )  will  be  written  as 
AT  □  — ►  S  □  if  the  delegation  bit  D  is  turned  on; 
otherwise,  it  will  be  written  as  K  □  — >  S  ■. 

In  authorization  problems,  we  only  consider  valid  certifi¬ 
cates,  so  the  validity  specification  V  for  a  certificate  does 
not  appear  as  part  of  its  rewrite  rule.  However,  for  cer¬ 
tain  generalized  authorization  problems  V  is  used  to  derive 
weights  for  rules. 

2.3  The  Authorization  Problem  in  SPKI/SDSI 

In  traditional  discretionary  access  control,  each  protected 
resource  has  an  associated  access-control  list,  or  ACL,  de¬ 
scribing  which  principals  have  various  permissions  to  ac¬ 
cess  the  resource.  An  auth  cert  (K,  S,  D,T,V)  can  be 


viewed  as  an  ACL  entry,  where  keys  or  principals  repre¬ 
sented  by  the  subject  S  are  given  permission  to  access  re¬ 
source  K. 

A  term  S  appearing  in  the  rules  can  be  viewed  as  a  string 
over  the  alphabet  /CU.4,  in  which  elements  of  JC  appear  only 
in  the  beginning.  For  uniformity,  we  also  refer  to  strings  of 
the  form  S  □  and  S  ■  as  terms.  Assume  that  we  are  given 
a  rewrite  rule  L  — >  R  corresponding  to  a  cert.  Consider 
a  term  S  =  LX.  In  this  case,  the  rewrite  rule  L  — >  R 
applied  to  the  term  S  (denoted  by  (A  — >  R)(S))  yields 
the  term  RX.  Therefore,  a  rule  can  be  viewed  as  a  function 
from  terms  to  terms,  for  example, 

( Ka  Bob - >  Kb){Ka  Bob  myFriends)  = 

Kb  myFriends 

Consider  two  rules  c\  =  (L\  — >  R\)  and  C2  =  (A2  — » 
R2),  and,  in  addition,  assume  that  L2  is  a  prefix  of  Ri,  i.e., 
there  exists  an  X  such  that  f?i  =  L2X.  Then  the  composi¬ 
tion  C2  o  ci  is  the  rule  L  \  — >  R2X.  For  example,  consider 
the  two  rules: 

Ci  :  Ka  friends  — >  Ka  Bob  myFriends 

c2  :  Ka  Bob  — >  I<B 

The  composition  C2  o  ci  is  Ka  friends  — > 
Kb  myFriends.  Two  rules  ci  and  C2  are  called  compat¬ 
ible  if  their  composition  C2  o  ci  is  well  defined.2 

A  problem  that  often  needs  to  be  solved  is  the  autho¬ 
rization  question:  “Given  a  set  of  certs  C  and  a  request 
r  =  (A'',  R ,  T'),  is  K'  allowed  to  exercise  authorization  T' 
on  RT’  A  certificate-chain-discovery  algorithm  provides 
more  than  just  a  simple  yes/no  answer  to  the  authorization 
question;  in  the  case  of  a  yes  answer,  it  identifies  a  chain  of 
certificates  to  prove  the  result.  Formally,  certificate-chain 
discovery  attempts  to  find,  after  removing  useless  certifi¬ 
cates,  a  certificate  chain  Cfc  o  ■  ■  ■  ci  such  that 

(cfc  o  ■  ■  ■  Ci) (A  □)  G  {K'  □,  K'  ■}. 

Intuitively,  ( Ck  o  •  •  •  Ci)  represents  a  path  from  R,  the  re¬ 
source,  to  either  K'  □  or  K'  ■.  representing  “permission 
for  K'  to  access”  with  and  without  delegation,  respectively; 
the  elimination  of  useless  certs  ensures  that  the  chain  repre¬ 
sents  the  authorization  specification  T' . 

Clarke  et  al.  [16]  presented  an  algorithm  for  certificate- 
chain  discovery  in  SPKI/SDSI  with  0(n\\C\)  time  com¬ 
plexity,  where  uk  is  the  number  of  keys  and  \C\  is  the  sum 
of  the  lengths  of  the  right-hand  sides  of  all  rules  in  C.  Jha 
and  Reps  [24]  presented  a  different  algorithm,  based  on  the 
theory  of  pushdown  systems. 

2Note  that  in  general  the  composition  operator  o  is  not  associative.  For 
example,  03  can  be  compatible  with  C2oei,  but  C3  might  not  be  compatible 
with  C2-  Therefore,  C3  o  (02  oci)  can  exist  when  (03  o  02)  o  ci  does  not 
exist.  However,  when  (03002)001  exists,  so  does  030(02001);  moreover, 
the  expressions  are  equal  when  both  are  defi  ned.  Thus,  we  allow  ourselves 
to  omit  parentheses  and  assume  that  o  is  right  associative. 
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3  The  Generalized  Authorization  Problem 

In  this  section,  we  formally  define  the  generalized  autho¬ 
rization  problem ,  or  GAP.  Later  in  the  section,  we  show  that 
several  issues,  such  as  privacy,  validity,  recency,  and  trust, 
can  be  formulated  in  the  GAP  framework.  In  this  frame¬ 
work,  certificates  are  labeled  with  weights  that  are  drawn 
from  a  bounded  idempotent  semiring. 

Definition  3.1  A  bounded  idempotent  semiring  is  a  quintu¬ 
ple  ( D ,  ©,  ©,  0, 1),  where  D  is  a  set,  0  and  1  are  elements 
of  D,  and  ©  (the  combine  operation )  and  ©  (the  extend  op¬ 
eration  )  are  binary  operators  on  D  such  that 

1.  ( D ,  ©)  is  a  commutative  monoid  with  0  as  its  neutral 
element,  and  ©  is  idempotent  (i.e.,  for  all  a  £  D,  a  © 
a  =  a). 

2.  ( D ,  ©)  is  a  monoid  with  the  neutral  element  1. 

3.  ©  distributes  over  ©,  i.e.  for  all  a,b,c  £  D  we  have 

a  ©  (b  ©  c)  =  (a  ©  b)  ©  (a  ©  c)  and 

(a  ©  b)  ©  c  =  (a  ©  c)  ©  (b  ©  c)  . 

4.  0  is  an  annihilatorwith  respect  to  ©,  i.e.,  for  all  a  £  D, 
a©0  =  0  =  0©a. 

5.  In  the  partial  order  C  defined  by:  Va,  b  £  D,  a  C  b  iff 
a  ©  b  =  a,  there  are  no  infinite  descending  chains. 

A  weighted  SPKI/SDSI  system  WSS  is  a  3-tuple 
(i C,S,f ),  where  C  is  a  set  of  certs,  S  =  (U,©,©,0,1) 
is  a  bounded  idempotent  semiring,  and  f:C—>D  assigns 
weights  to  the  certs  in  C.  We  extend  the  function  /  to  cer¬ 
tificate  chains  in  a  natural  way,  i.e.,  given  a  certificate  chain 
Cfc  o  Ck-i  o  •  •  •  o  ci,  /(cfc  o  Ck-i  o  •  •  •  o  ci)  is  defined  as 
/(ci)  ©  •  •  •  ©  f(ck- 1)  ©  /(cfc). 

Definition  3.2  Given  a  weighted  SPKI/SDSI  system 
WSS  =  (C,  S,  /)  and  a  request  r  =  (K'  ,R1T'), 
proof  (C,r)  denotes  the  set  of  certificate  chains  that  prove 
that  request  r  can  be  fulfilled.  Formally,  proof  (C,r)  is  the 
set  of  certificate  chains  Ck  °  ■  •  •  o  ci  not  containing  any 
useless  certificates  such  that: 

(cfco...ci)(f?  □)  e  {K'n,K'  ■} 

The  generalized  authorization  problem  (GAP)  asks  the 
following  two  questions:  (1)  Is  proof  (C,  r)  non-empty?  (2) 
If  proof  (C,r)  is  non-empty,  then  find  the  following  two 
quantities: 

•  5  :=  ®  {  /(cc)  |  cc  e  proof  (C,  r)  }; 

•  a  witness  set  of  certificate  chains  u>  C  proof  (C,r) 
such  that  0  /(cc)  =  5. 

CC^UJ 


Certificates 

weights 

Kx  □  — >  K h  patient  ■ 

(1) 

/ 

Kh  patient  — >  Kh-aids  patient 

(2) 

/ 

Kh  patient  — >  Kh-im  patient 

(3) 

/ 

Rh—AIDS  patient  '  /^Aiice 

(4) 

S 

Kh-im  patient  '  /^Aiice 

(5) 

/ 

Figure  1.  A  set  of  weighted  certificates. 


Notice  that  the  extender  operation  ©  is  used  to  calculate  the 
value  of  a  certificate  chain.  The  value  of  a  set  of  certificate 
chains  is  computed  using  the  combiner  operation  ©.  In  gen¬ 
eral,  it  is  enough  for  u>  to  contain  only  a  finite  set  of  minimal 
elements  (i.e.,  minimal  with  respect  to  the  partial  order  C). 
Intuitively,  GAP  attempts  to  find  a  set  of  certificate  chains 
proving  that  K'  can  access  resource  R  such  that  the  combi¬ 
nation  (using  the  operator  0)  of  their  weights  is  minimal. 
(Definition  3.2  actually  defines  a  more  general  machinery 
than  required  for  the  SPKI/SDSI  certificate-chain-discovery 
problem  discussed  in  Sections  2.2  and  2.3;  the  problem  de¬ 
fined  here  allows  a  witness  set  of  certificate  chains  to  be 
identified.) 

We  now  demonstrate  that  several  authorization-related 
problems  can  be  cast  in  this  framework. 

Privacy-preserving  certificate  chains 

We  return  to  the  example  described  in  the  Introduction,  in 
which  company  X  offers  additional  insurance  to  patients  of 
a  certain  hospital  H.  The  certificates  relevant  to  the  prob¬ 
lem  are  shown  in  Figure  1.  K  \  □  represents  the  service  of¬ 
fered,  i.e.,  the  additional  insurance  offered  by  company  X. 
The  filled  square  represents  the  fact  that  this  authorization 
cannot  be  delegated,  e.g.,  an  eligible  patient  cannot  dele¬ 
gate  the  permission  to  buy  insurance  to  one  of  their  friends. 
The  principals  corresponding  to  the  AIDS  and  internal- 
medicine  clinics  in  hospital  H  are  denoted  by  Kh-aids 
and  Kh-im-  Alice  is  a  patient  in  both  clinics. 

Suppose  that  Alice  wants  to  buy  the  insurance.  In  this 
case,  both  (4)  o  (2)  o  (1)  and  (5)  o  (3)  o  (1)  are  equal  to 
K  x  □  — >  if  Alice  ■  ■  However,  the  certificate  chain 
(4)  o  (2)  o  (1)  reveals  that  Alice  probably  has  AIDS,  which 
is  information  that  Alice  may  not  wish  to  reveal  to  company 
X.  Therefore,  Alice  would  prefer  to  offer  the  certificate 
chain  (5)  o  (3)  o  (1)  to  company  X\  it  proves  that  she  is 
authorized  to  buy  additional  insurance,  but  reveals  the  least 
amount  of  information  about  her. 

Privacy  can  be  modeled  in  the  GAP  framework  using  the 
semiring  (/},©, ©,0, 1),  defined  as  follows:  D  =  {/.S'}, 
where  /  and  S  stand  for  “insensitive”  and  “sensitive”,  re¬ 
spectively.  The  0  and  1  elements  are  S  and  /,  respectively. 
The  ©  and  ©  operators  are  defined  as  follows  (where  x  de- 
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notes  either  S  or  I): 


I  ®  x  =  x  ®  /  =  /  and  S  ®  x=  x  ®  S  =  x 
S  ®  x  =  x  ®  S=  S  and  I®x  =  x®I  =  x 


D 

® 

0 

1 

Validity 

N  U  {±00} 

max 

min 

—  OO 

+00 

Recency 

N  U  {00} 

min 

max 

OO 

0 

Trust 

{TV,  L,  M,  H} 

n 

u 

TV 

H 

It  is  easy  to  check  that  conditions  1  —  4  of  Definition  3.1 
are  satisfied.  Condition  5  is  trivially  satisfied  because  D 
is  finite.  The  weights  for  the  certificates  are  shown  in  Fig¬ 
ure  1:  certificate  (4),  Kh-aids  patient  — >  AAiice, 
is  labeled  S  because  it  reveals  that  Alice  is  a  patient  in  the 
AIDS  clinic;  all  other  certificates  are  labeled  I.  The  weights 
of  the  certificate  chain  (4)  o  (2)  o  (1)  and  (5)  o  (3)  o  (1)  are 
I  (g>  I  ®  S  =  S  and  I  ®  I  ®  I  =  I ,  respectively.  Ob¬ 
viously,  Alice  prefers  the  certificate  chain  with  weight  I.  In 
Section  6,  we  show  how  Alice  can  discover  such  a  certifi¬ 
cate  chain. 

Maximally-valid  certificate  chain.  Let  V  ( c)  be  the  ex¬ 
piration  value  of  cert  c,  i.e.,  the  cert  c  will  expire  at  time 
Tcurrent  +  V(c),  where  Tcurrent  is  the  current  time.  The 
expiration  value  of  a  certificate  chain  Ck  o  Cfc-i  o  •  •  •  o  ci 
is  miiij'Lj  V (c»).  Suppose  that  Alice  wants  to  login  to  host 
H.  If  Alice  provides  a  certificate  chain  that  is  only  valid  for 
two  minutes,  then  she  will  be  logged  off  by  the  host  after 
two  minutes.  Thus,  Alice  wants  to  find  a  certificate  chain 
that  authorizes  her  to  login  to  H,  but  has  the  maximum  ex¬ 
piration  value  among  all  such  certificate  chains. 

Most-recent  certificate  chain.  Let  R(c)  be  the  time  (rel¬ 
ative  to  the  current  time)  when  the  cert  c  was  issued  or  an 
on-line  check  was  performed  on  cert  c,  i.e.,  Tcurrent  —  R(c) 
is  the  actual  time  of  issue  or  the  last  on-line  check.  We  call 
R(c)  the  recency  associated  with  cert  c.  The  recency  of  a 
certificate  chain  cj-ocuo-  •  -oci  is  equal  to  inax'c=J  P(cj). 
Suppose  that  Alice  wants  to  login  to  host  H.  For  risk- 
reduction  purposes,  host  H  might  mandate  the  use  of  a  cer¬ 
tificate  chain  whose  recency  is  no  more  than  ten  minutes.  In 
this  case,  Alice  wishes  to  find  a  certificate  chain  that  autho¬ 
rizes  her  to  login  to  H  and  has  the  minimum  recency  among 
all  such  chains.  Let  Ck  o  Ck-i  o  •  •  •  o  c\  be  the  certificate 
chain  with  minimum  recency.  If  max'®-,  R(ci)  is  less  than 
or  equal  to  ten  minutes,  then  Alice  can  use  the  certificate 
chain  to  login  to  H. 

Certificate  chains  with  maximal  trust 

Assume  that  each  certificate  c  is  assigned  a  trust  level  Tr(c) 
by  the  issuer  of  the  certificate.  Intuitively,  Tr(c)  denotes 
the  confidence  that  the  issuer  of  c  has  in  the  relationship 
expressed  by  the  certificate  c.  The  trust  level  of  a  certificate 
chain  c^ocuo-  •  -oci  is  (£^=1  Tr{cf),  where  (££)  is  defined 
in  Table  1.  Suppose  that  Alice  wants  to  use  server  S,  but 
S  requires  a  certificate  chain  that  has  a  trust  level  above  a 
certain  value  v.  In  this  case,  Alice  wants  to  find  a  certificate 
chain  that  authorizes  her  to  use  S,  but  has  the  maximal  trust 
level  among  all  such  chains.  If  such  a  certificate  chain  has 
a  trust  level  above  v,  Alice  can  use  S. 


Table  1.  Semirings  for  validity,  recency,  and 
trust. 


Formalization  using  semirings.  The  semirings  for  the 
three  cases  discussed  above  are  shown  in  Table  1.  In 
the  case  of  the  maximal-trust  example,  the  trust  levels 
are  drawn  from  a  totally  ordered  set  with  four  elements 
{TV,  L,  M,  H},  where  TV  □  L  □  M  □  H.  Elements  L, 
M,  and  H  denote  low,  medium,  and  high  levels  of  trust,  re¬ 
spectively.  The  element  TV  stands  for  “no  link".3  The  join 
U  and  the  meet  n  operator  on  this  totally  ordered  set  are 
defined  as  follows  (where  x  and  y  are  arbitrary  elements  of 
{TV,  L,  M,  H}): 


x  U  y 


x  if  x  □  y 

y  otherwise 


a:  fl  y 


V  if  X  Tl  y 

x  otherwise 


4  Pushdown  Systems 

A  pushdown  system  is  a  transition  system  whose  states 
involve  a  stack  of  unbounded  length. 

Definition  4.1  A  pushdown  system  is  a  triple  V  = 
(P,  r,  A),  where  P  and  T  are  finite  sets  called  the  control 
locations  and  the  stack  alphabet,  respectively.  A  configura¬ 
tion  ofV  is  a  pair  ( p ,  w),  where  p  £  P  and  w  £  T*.  A  con¬ 
tains  a  finite  number  of  rules  of  the  form  (p,  7)  =— >- p  (p\w), 
where  p,p'  £  P,  7  £  T,  and  w  £  T*,  which  define  a  tran¬ 
sition  relation  between  configurations  ofV  as  follows: 

(r) 

Ifr  =  (p,  7)  p  ( p',w ),  then  (p,jw')  ===$v  (p  ,ww  ) 
for  all  w'  £  T*. 

We  also  write  c  =>-p  c!  to  express  that  there  is  some  rule  r 
such  that  c  ■ r->-p  c' ,  and  we  omit  the  index  V  if  V  is 
understood.  The  reflexive  and  transitive  closure  of  =>  is 
written  =>*.  Given  a  set  of  configurations  C,  we  define 
pre*{C)  :=  {  d  \  3c  £  C:  c'  =>*  c}  and  post*{C)  := 
{  d  |  3c  £  C :  c  =>*  d  }  to  be  the  sets  of  configurations 
that  are  backwards  and  forwards  reachable  from  elements 
of  C,  respectively. 

Without  loss  of  generality,  we  assume  henceforth  that  for 
every  (p,  7)  c— >  ( p',w )  we  have  |tn|  <  2;  this  is  not  restric¬ 
tive  because  every  pushdown  system  can  be  simulated  by 

"'Note  that  ‘highest  level  of  trust”  is  denoted  by  the  element  H.  which 
is  lowest  in  the  total  order. 
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another  one  that  obeys  this  restriction  and  is  larger  by  only 
a  constant  factor;  e.g.,  see  [24], 

Because  pushdown  systems  have  infinitely  many  config¬ 
urations,  we  need  some  symbolic  means  to  represent  sets  of 
configurations.  We  will  use  finite  automata  for  this  purpose. 

Definition  4.2  Let  V  =  (P,  T,  A)  be  a  pushdown  system. 
A  V -automaton  is  a  quintuple  A  =  ( Q ,  T,  — ►,  P ,  F)  where 
Q  D  P  is  a  finite  set  of  states,  — >■  C  Q  x  T  x  Q  is  the  set  of 
transitions,  and  F  C  Q  are  the  final  states.  The  initial  states 
of  A  are  the  control  locations  P.  A  configuration  (p,w)  is 
accepted  by  A  if  p  -LA*  qfor  some  final  state  q.  A  set  of 
configurations  ofV  is  regular  if  it  is  recognized  by  some  V- 
automaton.  (IfV  is  understood ,  we  omit  the  prefix  V  and 
merely  refer  to  “automaton  ”.) 

A  convenient  property  of  regular  sets  of  configurations  is 
that  they  are  closed  under  forward  and  backward  reachabil¬ 
ity.  In  other  words,  given  an  automaton  A  that  accepts  the 
set  C,  one  can  construct  automata  Apre *  and  Apost *  that  ac¬ 
cept  pre*(C)  and  post*(C),  respectively.  The  general  idea 
behind  the  algorithm  for  pre*  [11,  20]  is  as  follows; 

Let  V  =  (P,  r,A)  be  a  pushdown  system  and  A  = 
(Q,  T,  — >o,  P,  F)  be  a  ^-automaton  accepting  a  set  of  con¬ 
figurations  C.  Without  loss  of  generality  we  assume  that 
A  has  no  transition  leading  to  an  initial  state.  pre*(C) 
is  obtained  as  the  language  of  an  automaton  Apre*  = 
(Q,  r,  — P,  F)  derived  from  A  hv  a  saturation  procedure. 
The  procedure  adds  new  transitions  to  A  according  to  the 
following  rule: 

If  (Pi  7)  ^  ( p',  w )  and  p'  -LA*  q  in  the  current 
automaton,  add  a  transition  (p,  7,  q). 

In  [20]  an  efficient  implementation  of  this  procedure  is 
given,  which  requires  0(|(3|2|A|)  time  and  0(|Q|  |A|  + 
|— >o|)  space.  Moreover,  another  procedure  (and  implemen¬ 
tation)  are  presented  for  constructing  a  ^-automaton  that 
accepts  post*(C).  In  the  following,  we  show  that  exten¬ 
sions  of  these  procedures  provide  efficient  algorithms  for 
discovering  the  certificate  chains  needed  in  generalized  au¬ 
thorization  problems,  such  as  those  discussed  in  Section  3. 
We  will  present  these  extensions  for  pre*;  the  same  basic 
ideas  apply  to  post*,  but  this  is  omitted  for  lack  of  space. 

5  The  Connection  Between  SPKI/SDSI  and 
Pushdown  Systems 

The  following  correspondence  between  SPKI/SDSI  and 
pushdown  systems  was  presented  in  [24]:  let  C  be  a  (finite) 
set  of  certificates  such  that  JCc  and  Tq  are  the  keys  and  iden¬ 
tifiers  that  appear  in  C,  respectively;  with  C  we  associate  the 
pushdown  system  Vc  =  (ICc.  Ic  U  {□,  ■},  Ac),  i.e.,  the 
keys  of  C  are  the  control  locations  and  the  identifiers  form 
the  stack  alphabet;  the  rule  set  Ac  is  defined  as  follows: 


{Kx,0)  ^  (Kh,  patient  ■)  (1) 

(Kh,  patient)  ^  (KH_AIDS,  patient)  (2) 

(Kh,  patient)  (Kh-im,  patient)  (3) 

(Kh_aids,  patient)  (Kklice,s)  (4) 

(Kh-IM,  patient)  (KAlice,e)  (5) 


Figure  2.  The  PDS  rules  that  correspond  to 
Figure  1. 


•  if  C  contains  a  name  cert  K  A  — >  K'  a  (where  a 
is  a  sequence  of  identifiers),  then  Ac  contains  a  rule 

(K,k)^(K',a); 

•  if  C  contains  an  auth  cert  K  □  — >  K'  a  b  (where  b  £ 
{□,  ■}),  then  Ac  contains  a  rule  ( K ,  □)  ■— >  (K' ,  ctb). 

For  instance,  consider  the  set  of  certificates  C  from  Fig¬ 
ure  1 .  The  corresponding  pushdown  system  Vc  has  the  con¬ 
trol  locations  {KX,KH,  KH-AIDS,  KH_IM,  A'Aiice},  the 
stack  alphabet  {patient,  □,  ■},  and  the  set  of  rules  listed 
in  Figure  2. 

The  usefulness  of  this  correspondence  stems  from  the 
following  simple  observation:  A  configuration  ( K ,  a)  of 
Vc  can  reach  another  configuration  ( K',a ')  if  and  only  if 
C  contains  a  chain  of  certificates  that,  when  applied  to  K  cr, 
yield  K'  a' .  For  instance,  in  the  example  above  Alice  can 
prove  that  she  has  the  right  to  buy  additional  insurance  be¬ 
cause  (K x ,  □)  =>*  (A'Aiice,  ■).  In  the  authorization  prob¬ 
lem,  we  are  given  a  set  of  certs  C  and  a  request  (AT',  R,  T'). 
In  terms  of  the  PDS  Vc  corresponding  to  certificate  set 
C,  the  authorization  problem  can  be  stated  as  follows:  K' 
should  be  granted  access  to  R  iff  the  condition  ( R ,  □)  £ 
pre*({(K □),  (AT',  ■)})  holds.  Thus,  in  the  medical  ex¬ 
ample,  we  wish  to  determine  whether  (KXl  □)  £  pre*(S), 
where  S'  =  {(A'Alice,  □),  (A'Alice,  ■)}.  The  automaton 
shown  in  Figure  3(a)  accepts  the  set  S.  The  set  pre*(S) 
is  shown  in  Figure  3(b).  Because  there  is  a  transition 
on  the  symbol  □  from  state  KX  to  the  accepting  state  s, 
(KX,  □)  £  pre*(S).  In  other  words,  Alice  is  authorized  to 
buy  additional  insurance.  (The  extra  annotations  /  (insen¬ 
sitive)  and  S  (sensitive)  on  the  transitions  indicate  whether 
the  transitions  involve  sensitive  information.  The  algorithm 
for  deriving  these  labels  is  presented  in  Section  6.) 

6  Solving  the  Generalized  Authorization 
Problem 

The  types  of  problems  treated  in  [24]  could  be  charac¬ 
terized  as  having  a  qualitative  nature;  they  answer  ques¬ 
tions  such  as  “Is  a  given  principal  allowed  to  access  a  given 
resource?”  In  this  section,  we  show  how  to  answer  ques¬ 
tions  that  have  an  additional  quantitative  component,  e.g. 
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patient 


Figure  3.  (a)  Automaton  representing  the  configurations  S  =  {{Ku_ice,D),  (KAlice,  ■}}.  (b)  Automaton 
representing  the  configurations  in  pre*(S). 


“How  long  is  a  given  principal  allowed  to  access  a  given 
resource?”  To  do  so,  we  consider  pushdown  systems  whose 
rules  carry  weights. 

6.1  Weighted  Pushdown  Systems 

We  consider  pushdown  system  whose  rules  are  given  val¬ 
ues  from  some  domain  of  weights.  The  weight  domains  of 
interest  are  the  bounded  idempotent  semirings  from  Defini¬ 
tion  3.1. 

Definition  6.1  A  weighted  pushdown  system  is  a  triple 
W  =  (P,  S,  /)  such  that  P  =  (P,  T,  A)  is  a  pushdown  sys¬ 
tem,  S  =  ( D ,  ©,  (g>,  0, 1)  is  a  bounded  idempotent  semiring, 
and  f :  A  — >  D  is  a  function  that  assigns  a  value  from  D  to 
each  rule  ofV. 

Let  a  £  A*  be  a  sequence  of  rules.  Using  /,  we  can 
associate  a  value  to  cr,  i.e.,  if  a  =  [ri, . . .  ,  r/t],  then  we 
define  v(a)  '■=  f(r i)  ®  •  •  •  <g>  fi't'k)-  Moreover,  for  any  two 
configurations  c  and  c!  of  P,  we  let  path(c,  c!)  denote  the 
set  of  all  rule  sequences  [r  i , . . .  ,  rf\  that  transform  c  into  d , 


Definition  6.2  Given  a  weighted  pushdown  system  W  = 
(' V,S ,  /),  where  P  =  (P,  T,  A),  and  a  regular  set  of  con¬ 
figurations  CCPx  T*,  the  generalized  pushdown  reacha¬ 
bility  (GPR)  problem  is  to  find  for  each  c  £  P  x  T*: 

•  5(c)  :=  @{  v(a)  \  a  £  path(c,  d),d  £  C  }; 

•  a  witness  set  of  paths  u>(c )  C  (J  path(c,d)  such 

c'eC 

that  0  v(a)  =  5(c). 

cr£u;(c) 


a  £  path(c,  d),  c'  £  C},  i.e.,  minimal  with  respect  to  the 
partial  order  C  defined  in  Definition  3.1(5). 

For  the  remainder  of  this  section,  let  W  denote  a  fixed 
weighted  pushdown  system:  W  =  (' P,S,f ),  where  V  = 
(P,  T,A)  and  S  =  (D,  ©,  0, 1);  let  C  denote  a  fixed 

regular  set  of  configurations,  represented  by  a  P-automaton 
A  =  (Q-  T,  — >o,  P,  P)  such  that  A  has  no  transition  leading 
to  an  initial  state. 

The  GPR  problem  is  a  multi-target  meet-over-all-paths 
problem  on  a  graph.  The  vertices  of  the  graph  are  the  con¬ 
figurations  of  P,  and  the  edges  are  defined  by  P’s  transition 
relation.  The  target  vertices  are  the  vertices  in  C.  Both  the 
graph  and  the  set  of  target  vertices  can  be  infinite,  but  have 
some  built-in  structure  to  them;  in  particular,  C  is  a  regular 
set. 

Because  the  GPR  problem  concerns  infinite  graphs,  and 
not  just  an  infinite  set  of  paths,  it  differs  from  other  work 
on  meet-over-all-paths  problems.  As  in  the  (ordinary) 
pushdown-reachability  problem  [11,  20],  the  infinite  nature 
of  the  problem  is  addressed  by  reporting  the  answer  in  an 
indirect  fashion,  namely,  in  the  form  of  an  annotated  au¬ 
tomaton.  An  answer  automaton  without  its  annotations  will 
be  identical  to  an  Apre *  automaton  created  by  the  algorithm 
of  [20].  For  each  c  £  pre*(C),  the  values  of  6(c)  and  ui(c) 
can  be  read  off  from  the  annotations  by  following  all  ac¬ 
cepting  paths  for  c  in  the  automaton;  for  c  ^  pre*(C ),  the 
values  of  6(c)  and  u>(c)  are  0  and  0,  respectively. 

The  solution  to  the  GPR  problem  is  presented  in  several 
stages: 

•  We  first  define  a  language  that  characterizes  the  se¬ 
quences  of  transitions  that  can  be  made  by  a  pushdown 
system  P  and  automaton  A  for  C. 


In  general,  it  is  enough  for  u>(c)  to  contain  only  a  finite 
set  of  paths  whose  values  are  minimal  elements  of  {  v(a)  \ 
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•  We  then  turn  to  weighted  pushdown  systems  and  the 
GPR  problem.  We  use  the  language  characteriza¬ 
tions  of  transition  sequences,  together  with  previously 


known  results  on  a  certain  kind  of  grammar  problem 
[46,  34]  to  obtain  a  solution  to  the  GPR  problem. 

•  However,  the  solution  based  on  grammars  is  somewhat 
inefficient;  to  improve  the  performance,  we  specialize 
the  computation  to  our  case,  ending  up  with  an  algo¬ 
rithm  for  creating  an  annotated  automaton  that  is  quite 
similar  to  the  pre*  algorithm  from  [20], 

6.2  Languages  that  Characterize  Transition  Se¬ 
quences 

In  this  section,  we  make  some  definitions  that  will  aid  in 
reasoning  about  the  set  of  paths  that  lead  from  a  configura¬ 
tion  c  to  configurations  in  a  regular  set  C.  We  call  this  set 
the  reachability  witnesses  for  c  £  PxT*  with  respect  to  C : 
ReachabilityWitnesses(c,  C)  =  Uc'eC  path(c,  c'). 

It  is  convenient  to  think  of  PDS  V  and  automaton  A  (for 
C)  as  being  combined  in  sequence,  to  create  a  combined 
PDS,  which  we  will  call  VA.  VA’s,  states  are  P  U  Q  =  Q, 
and  its  rules  are  those  of  V,  augmented  with  a  rule  (q,  7)  c-> 
(q' ,  e)  for  each  transition  q  —U  q'  in  A’s  transition  set  — >0. 

We  say  that  a  configuration  c  =  (p,  7172  . . .  7 n)  is  ac¬ 
cepted  by  VA  if  there  is  a  path  to  a  configuration  ( qp ,  e) 
such  that  qy  £  F.  Note  that  because  A  has  no  transitions 
leading  to  initial  states,  VA’s  behavior  during  an  accept¬ 
ing  run  can  be  divided  into  two  phases — transitions  during 
which  VA  mimics  V,  followed  by  transitions  during  which 
VA  mimics  A:  once  VA  reaches  a  state  in  (Q  —  P ),  it  can 
only  perform  a  sequence  of  pops,  possibly  reaching  a  state 
in  F.  If  the  run  of  VA  does  reach  a  state  in  F,  in  terms 
of  the  features  of  the  original  V  and  A,  the  second  phase 
corresponds  to  automaton  A  accepting  some  configuration 
c'  that  has  been  reached  by  V,  starting  in  configuration  c.  In 
other  words,  VA  accepts  a  configuration  c  iff  c  £  pre*(C). 

The  first  language  that  we  define  characterizes  the  pop 
sequences  of  VA.  A  pop  sequence  for  q  £  Q,  7  £  T, 
and  q'  £  Q  is  a  sequence  of  VA’s  transitions  that,  and 
(i)  starts  in  a  configuration  ((7,7),  and  (ii)  ends  in  a  con¬ 
figuration  (q1 ,  e).  The  family  of  pop  sequences  for  a  given 
q ,  7,  and  q'  can  be  characterized  by  the  complete  derivation 
trees4  derived  from  nonterminal  using  the  gram¬ 

mar  shown  in  Figure  4. 

Theorem  6.1  PDS  VA  has  a  pop  sequence  for  q,  7,  and 
q'  iff  nonterminal  PS^qrfq^  of  the  grammar  shown  in  Fig¬ 
ure  4  has  a  complete  derivation  tree.  Moreover,  for  each 
derivation  tree  with  root  PS(q^,q/y  a  preorder  listing  of 
the  derivation  tree’s  production  instances  ( where  Figure  4 
defines  the  correspondence  between  productions  and  PDS 
rules )  gives  a  sequence  of  rules  for  a  pop  sequence  for  q,  7, 
and  q' ;  and  every  such  sequence  of  rules  has  a  derivation 
tree  with  root  PS^^^y 

4 A  derivation  tree  is  complete  if  it  has  is  a  terminal  symbol  at  each  leaf. 


Proof:  [Sketch]  To  shrink  the  stack  by  removing  the  stack 
symbol  on  the  left-hand  side  of  each  rule  of  VA,  there  must 
be  a  transition  sequence  that  removes  each  of  the  symbols 
that  appear  in  the  stack  component  of  the  rule’s  right-hand 
side.  In  other  words,  a  pop  sequence  for  the  left-hand-side 
stack  symbol  must  involve  a  pop  sequence  for  each  right- 
hand-side  stack  symbol. 

The  left-hand  and  right-hand  sides  of  the  productions  in 
Figure  4  reflect  the  pop-sequence  obligations  incurred  by 
the  corresponding  rule  of  VA.  □ 

To  capture  the  set  ReachabilityWitnesses((p,  7172  ■  •  •  7n)> 
where  C  is  recognized  by  automaton  A,  we  define  a 
context-free  language  given  by  the  set  of  productions 
shown  in  Figure  5. 

This  language  captures  all  ways  in  which  PDS 
VA  can  accept  (p,  7172  •  •  •  7n):  the  set  of  reach¬ 
ability  witnesses  for  (p,  7172  •  •  •  7n)  corresponds  to 
the  complete  derivation  trees  derivable  from  nontermi¬ 
nal  Accepted["fij2  ■  ■  •  7n](P)-  The  subtree  rooted  at 
PS(qi_  1,ji,qi)  gives  the  pop  sequence  that  VA  performs  to 
consume  symbol  7 (If  there  are  no  reachability  witnesses 
for  (p,  7172  . . .  7n).  there  are  no  complete  derivation  trees 
with  root  Accepfec/[7i72  . . .  7 n](P)-) 

6.3  Weighted  PDSs  and  Abstract  Grammar  Prob¬ 
lems 

Turning  now  to  weighted  PDSs,  we  will  consider  the 
weighted  version  of  VA,  denoted  by  WA,  in  which 
weighted  PDS  W  is  combined  with  A,  and  each  rule 
(<h  7)  W 1  e)  that  was  added  due  to  transition  q  —U  q'  in 
A’s  transition  set  — >0  is  assigned  the  weight  1. 

We  are  able  to  reason  about  semiring  sums  (©)  of 
weights  on  the  paths  that  are  characterized  by  the  context- 
free  grammars  defined  above  using  the  following  concept: 

Definition  6.3  [34 ]  Let  ( S ,  ll)  be  a  semilattice.  An  abstract 
grammar  over  (S,  ll)  is  a  collection  of  context-free  gram¬ 
mar  productions,  where  each  production  6  has  the  form 

X0^ge(Xll..(,Xk). 

Parentheses,  commas,  and  gg  (where  9  is  a  production )  are 
terminal  symbols.  Every  production  9  is  associated  with 
a  function  gg:  Sk  — >  S.  Thus,  every  string  a  of  termi¬ 
nal  symbols  derived  in  this  grammar  (i.e.,  the  yield  of  a 
complete  derivation  tree)  denotes  a  composition  of  func¬ 
tions,  and  corresponds  to  a  unique  value  in  S,  which  we 
call  valc{oi)  (or  simply  val(a)  when  G  is  understood ).  Let 
Lg(X )  denote  the  strings  of  terminals  derivable  from  a 
nonterminal  X.  The  abstract  grammar  problem  is  to  com¬ 
pute,  for  each  nonterminal  X,  the  value 

mciX)  :=  n  valcM- 

aeLaD c) 


Production 

for  each 

(1) 

PS(q,  7,9') 

e 

q  -A  q'  e  — >0 

(2) 

^(P>7>P')  ~ ~ 

e 

(p,  7)  ^  (p'a)  e  A,  P  g  p 

(3) 

^(P>  7,9) 

PS(p',Y,q) 

ip,  7)  ^  ip',  l')  G  A,  p  G  P,  q  €  Q 

(4) 

P^(p,7,g)  — 

PS(p',Y,q')  PS(q',-y",q) 

(p, 7)  ^  ip', t't")  g  A ,  peP,  q,q'  eQ 

Figure  4.  A  context-free  language  for  the  pop  sequences  of  VA,  and  the  VA  rules  that  correspond  to 
each  production. 


Production 

for  each 

(1) 

Accepting  [71 72  . 

■•7 n\(p,q)  >  P^(p, 71.81)  ^(41,72,92)  •••  P^(9n-l>7ni9) 

qi  £  Q,  for  1  <  i  <  n  —  1;  and  q  €  F 

(2) 

Accepted[ 7172  . . 

■  7n](p)  -*■  Accepting [71 72  •  •  -  7 n](p,9) 

q£  F 

Figure  5.  Set  of  productions. 


Because  the  complete  derivation  trees  with  root 
Accepted[ 7172  •  •  •  7n](P)  encode  the  transition  sequences  by 
which  WA  accepts  (p,  7172 . . .  7„),  to  cast  the  GPR  as  a 
grammar  problem,  we  merely  have  to  attach  appropriate 
production  functions  to  the  productions  so  that  for  each  rule 
sequence  a ,  and  corresponding  derivation  tree  (with  yield) 
a,  we  have  v(cr)  =  vale  {a).  This  is  done  in  Figure  6:  note 
how  functions  52.  <73.  and  <74  place  f[r)  at  the  beginning  of 
the  semiring-product  expression;  this  corresponds  to  a  pre¬ 
order  listing  of  a  derivation  tree’s  production  instances  (cf. 
Theorem  6.1). 

To  solve  the  GPR  problem,  we  appeal  to  the  following 
theorem: 

Theorem  6.2  [46,  34]  The  abstract  grammar  problem  for 
G  and  (S',  n)  can  be  solved  by  an  iterative  computation  that 
finds  the  maximum  fixed  point,  when  the  following  condi¬ 
tions  hold: 


2.  The  distributivity  of  each  of  the  production  functions 
gi,  ....  <76  over  arbitrary,  non-empty,  finite  index  sets 
follows  from  repeated  application  of  Definition  3.1(3). 

3.  Production  functions  73,  . . . ,  ge  are  strict  in  0  in  each 
argument  because  0  is  an  annihilator  with  respect  to 
(g)  (Definition  3.1(4)).  Production  functions  g\  and  <72 
are  constants  (i.e.,  functions  with  no  arguments),  and 
hence  meet  the  required  condition  trivially. 

Thus,  one  algorithm  for  solving  the  GPR  problem 
for  a  given  weighted  PDS  VV,  initial  configuration 
(p,  7172  . . .  7 „),  and  regular  set  C  (represented  by  automa¬ 
ton  A)  is  as  follows: 

•  Create  the  combined  weighted  PDS  WA. 

•  Define  the  corresponding  abstract  grammar  problem 
according  to  the  schema  shown  in  Figure  6. 


1. 

2. 


The  semilattice  ( S ,  n)  has  no  infinite  descending 
chains. 

Every  production  function  gg  in  G  is  distributive,  i.e., 


d{.  FI  ...  ,  n  %-ik) 


iiG/i 


ik^Ik 


n 

(*i>—  ,4)€/ix-x/fc 


9  (a 


for  arbitrary,  non-empty,  finite  index  sets  I\, . . .  ,Ik- 

3.  Every  production  function  gg  in  G  is  strict  in  0  in  each 
argument. 


The  abstract  grammar  problem  given  in  Figure  6  meets 
the  conditions  of  Theorem  6.2  because 

1.  By  Definition  3.1,  the  ©  operator  is  associative,  com¬ 
mutative,  and  idempotent;  hence  ( D ,  ©)  is  a  semilat¬ 
tice.  By  Definition  3.1(5),  ( D ,©)  has  no  infinite  de¬ 
scending  chains. 


•  Solve  this  abstract  grammar  problem  by  finding  the 
maximum  fixed  point  using  chaotic  iteration:  for 
each  nonterminal  X,  the  fixed-point-finding  algorithm 
maintains  a  value  l(X),  which  is  the  current  estimate 
for  X’s  value  in  the  maximum  fixed-point  solution; 
’  X'lh '  initially,  all  l(X)  values  are  set  to  0;  l(X)  is  updated 
whenever  a  value  1{Y)  changes,  for  any  Y  used  on  the 
right-hand  side  of  a  production  whose  left-hand-side 
nonterminal  is  X . 

6.4  A  More  Efficient  Algorithm  for  the  GPR  Prob¬ 
lem 

The  approach  given  in  the  previous  section  is  not  very 
efficient:  for  a  configuration  (p,  7172  •  •  ■  7n}>  it  takes 
0(|<5|"_1|F|)  time  and  space  just  to  create  the  grammar 
productions  in  Figure  6  with  left-hand-side  nonterminal 
Accepting[ 7172  . .  -Tn[(p,q)-  However,  we  can  improve  on 
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Production 

for  each 

(1) 

*  Pl(e) 

gi  =  l 

(9,1,9')  €  ^0 

(2) 

92  =  f(r ) 

r  =  (p,  7)  ^  (p',e)  €  A,  p  G  P 

(3) 

7,9)  *  5'3(^>‘5'(p/,7/,(3')) 

g3  =  X a./(r)  O  a 

r  =  (P,  7)  ^  (p',  l')  £  A,  p  £  P,  q  £  Q 

(4) 

7,q)  *  94(PS(p'  ,7'  ,q')i  PS(q'  ,7"  ,q)) 

#4  =  Xa.Xb.f(r)  <S>  a  <S>  b 

r  =  (p,  7)  (j/,7'7")  <=  A,  p  G  P,  q,q  eQ 

(5) 

AccepfMg[7i72  .  .  .  7 n](p,q)  — > 

95(PS(p,-y1:qi),  PS(qi,~/2,q2),  ■  ■  ■  ,PS(qn_  1,-yn,q)) 
gs  =  Aai.Aa2  . . .  Aa„.ai  ®  02  ®  . . .  0  o„ 

qi  £  Q,  for  1  <  i  <  n  —  1,  and  q  £  F 

(6) 

Accepted) 7172  . . .  7™](P)  -*■  96  (Accepting [71  ■ 72  . . .  7n](p,,)) 
ge  =  A  a. a 

q  £  F 

Figure  6.  An  abstract  grammar  problem  for  the  GPR  problem. 


the  algorithm  of  the  previous  section  because  not  all  instan¬ 
tiations  of  the  productions  listed  in  Figure  6  are  relevant  to 
the  final  solution;  we  want  to  prevent  the  algorithm  from  ex¬ 
ploring  useless  nonterminals  of  the  grammar  shown  in  Fig¬ 
ure  6. 

Moreover,  all  GPR  questions  with  respect  to  a  given 
target-configuration  set  C  involve  the  same  subgrammar 
for  the  PS  nonterminals.  As  in  the  (ordinary)  pushdown- 
reachability  problem  [11,  20],  the  information  about 
whether  a  complete  derivation  tree  with  root  nonterminal 
PS(qtl>q>)  exists  (i.e.,  whether  PS(g,7)q')  is  a  productive  non¬ 
terminal)  can  be  precomputed  and  returned  in  the  form  of 
an  (annotated)  automaton  of  size  0(\Q\  |A|  +  |— >o|)-  Ex¬ 
ploring  the  PS  subgrammar  lazily  saves  us  from  having  to 
construct  the  entire  PS  subgrammar.  Productive  nontermi¬ 
nals  represent  automaton  transitions,  and  the  productions 
that  involve  any  given  transition  can  be  constructed  on-the- 
fly,  as  is  done  in  Algorithm  1,  shown  in  Figure  7. 

It  is  relatively  straightforward  to  see  that  Algorithm  1 
solves  the  grammar  problem  for  the  PS  subgrammar  from 
Figure  6:  workset  contains  the  set  of  transitions  (PS  non¬ 
terminals)  whose  value  l(t)  has  been  updated  since  it  was 
last  considered;  in  line  8  all  values  are  set  to  0.  A  function 
call  update(t,  r,  T)  computes  the  new  value  for  transition  t 
if  t  can  be  created  using  rule  r  and  the  transitions  in  the  or¬ 
dered  list  T.  Lines  9  and  10  process  the  rules  of  types  (1) 
and  (2),  respectively.  Lines  1 1-17  represent  the  fixed-point- 
finding  loop:  lines  13,  15,  and  17  simulate  the  processing 
of  rules  of  types  (3)  and  (4)  that  involve  transition  t  on  their 
right-hand  side;  in  particular,  line  4  corresponds  to  invoca¬ 
tions  of  production  functions  g 3  and  <j  \ .  Note  that  line  4 
can  change  ((f)  only  to  a  smaller  value  (w.r.t.  C).  The  it¬ 
erations  continue  until  the  values  of  all  transitions  stabilize, 
i.e.,  workset  is  empty. 

From  the  fact  that  Algorithm  1  is  simply  a  different  way 
of  expressing  the  grammar  problem  for  the  PS  subgram¬ 


mar,  we  know  that  the  algorithm  terminates  and  computes 
the  desired  result.  Moreover,  apart  from  operations  having 
to  do  with  l,  the  algorithm  is  remarkably  similar  to  the  pre* 
algorithm  from  [20] — the  only  major  difference  being  that 
transitions  are  stored  in  a  workset  and  processed  multiple 
times,  whereas  in  [20]  each  transition  is  processed  exactly 
once.  Thus,  if  £  is  the  length  of  the  maximal-length  de¬ 
scending  chain  in  the  semiring  and  c0  is  the  maximal  cost 
of  an  extender  or  combiner  operation,  the  time  complexity 
increases  from  the  complexity  of  the  unweighted  case  [20] 
by  a  factor  of  £  ■  ca,  i.e.  the  GPR  problem  can  be  solved  in 
time  0(c0  ■  \Q\2\  A|  •  £).  (More  efficient  techniques  that  ap¬ 
ply  to  certain  semirings  that  are  total  orders  are  discussed  in 
Section  6.5.) 

Given  the  annotated  pre*  automaton,  the  value  of  5(c) 
for  any  configuration  c  can  be  read  off  from  the  au¬ 
tomaton  by  following  all  paths  by  which  c  is  accepted — 
accumulating  a  value  for  each  path — and  taking  the  meet  of 
the  resulting  value  set.  The  value-accumulation  step  can  be 
performed  using  a  straightforward  extension  of  a  standard 
algorithm  for  simulating  an  NFA  (cf.  [1,  Algorithm  3.4]). 

Algorithm  1  is  a  dynamic -programming  algorithm  for 
determining  6(c);  Appendix  A  describes  how  to  extend  Al¬ 
gorithm  1  to  keep  additional  annotations  on  transitions  so 
that  the  path  set  oj(c)  can  be  obtained. 

6.5  Total  Orderings 

In  the  examples  given  in  Section  3,  the  semirings  all  have 
the  following  properties:  (i)  the  ordering  C  is  a  total  order¬ 
ing;  (ii)  1  is  the  least  element  with  respect  to  C;  and  (iii) 
for  all  a,  b  £  D,  a  <8>  b  □  lub(a,  b)  (where  lub  denotes 
“least  upper  bound’’,  or  maximum,  in  the  total  order).  In 
such  cases,  there  is  a  much  more  efficient  algorithm  for  the 
GPR  problem  based  on  ideas  from  Knuth’s  generalization 
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Algorithm  1 

Input:  a  weighted  pushdown  system  W  =  (V,S,  f) 

where  V  =  (P,  T,  A)  and  S  =  ( D ,  ®,  0,  0, 1); 

a  P-Automaton  A  =  ( Q ,  T,  — »o,  P,  F)  that  accepts  C  such  that  A  has  no  transitions  into  P  states 

Output:  a  "P-automaton  Apre*  =  ( Q ,  1-  — P,  P)  that  accepts  pre*(C ) 

a  function  l  that  maps  every  (g,  7,  g')  G  — >  to  the  value  of  mG{PS(qti  qi)) 
in  the  abstract  grammar  problem  defined  in  Figure  6; 

1  procedure  update(t ,  r,  T) 

2  begin 

3  —>:=—>  U  {t}; 

4  l(t)  :=  /(<)  ®  (/(r)  ®  Z(T(1))  0  ...  0  Z(T(|T|))); 

5  if  l(t)  changed  value  then  workset  :=  workset  U  {t} 

6  end 

7 

8  — >  :=  — >0;  l  =  0;  workset  :=  — >0; 

9  for  all  t  G  — >0  do  Z(i)  :=  1; 

10  for  all  ?  =  (73,7)  (f/,e)  G  A  do  update ((p,  7,p'),r,  ()); 

11  while  workset  ^  0  do 

12  select  and  remove  a  transition  t  =  ( q ,  7,  </)  from  workset', 

13  for  all  r  =  (77,71)  ^  {q,  7)  G  A  do  update((pi,  71  >9').’*.  W); 

14  for  all  r  =  (pi,"fi)  >  (g,  772)  G  A  do 

15  for  all  t'  =  (g',72,g")  G  — >  do  update((pi,^/i,  g"),  r,  (t,  f)); 

16  for  all  r  =  (plt  71)  ■— >  (73',  727)  G  A  do 

17  if  t'  =  (73',  72, 9)  G  ->  thenttpdafe((p1,71,g'),r, 

18  return  ((<2, r,—>,P,F),Z) 

Figure  7.  An  on-the-fly  algorithm  for  solving  the  grammar  problem  for  the  PS  subgrammar  from 
Figure  6. 


of  Dijkstra’s  algorithm  for  the  shortest-path  problem  [27]. 5 

•  In  Algorithm  1,  workset  is  implemented  using  a  pri¬ 
ority  queue,  and  the  transition  selected  in  line  12  is 
always  one  with  minimum  value.  Line  5  changes  to 

if  l{t)  changed  value  then 

adjustPriorityQueue(worklist ,  t,  [(f)) 

where  adjustPriorityQueue(PQ,  i,  k)  inserts  item  i 
into  a  priority  queue  PQ  with  key  k  if  i  ^  PQ,  and 
changes  the  key  of  item  i  to  k  if  i  G  PQ  already.  With 
this  approach,  the  transitions  processed  form  a  non¬ 
decreasing  sequence;  hence,  no  transition  is  selected 
from  workset  more  than  once.  (In  the  general  case, 
the  label  of  a  transition  may  change  even  if  the  tran¬ 
sition  has  been  selected  before,  causing  it  to  be  added 
to  workset  again.)  Compared  to  the  PDS-reachability 
problem  for  the  unweighted  case,  all  it  costs  to  com¬ 
pute  the  maximum  fixed-point  values  is  the  cost  of 

5The  approach  that  we  describe  also  applies  to  a  slightly  larger  class  of 
totally  ordered  abstract  grammar  problems  studied  by  Ramalingam  [34]; 
however,  our  examples  all  fall  into  the  class  defi  ned  above,  which  was 
studied  by  Knuth  [27]. 


maintaining  a  priority  queue.  Thus,  the  time  complex¬ 
ity  becomes  0(c0  ■  |Q|2|A|  •  log(|Q|  | A |  +  Hoi))- 

•  The  set  lu(c')  contains  exactly  one  path. 

7  Discussion 

We  now  discuss  several  issues  that  arise  in  applying  the 
GAP  framework. 

Recency  Policies.  The  recency  metric  presented  in  Sec¬ 
tion  3  is  rather  simplistic  compared  to  some  others  that 
have  been  studied:  recency  policies  can  be  based  on  a  num¬ 
ber  of  factors,  such  as  the  financial  risk  of  the  authenti¬ 
cation/authorization  decision  [44],  semantics  and  invalidity 
rate  of  the  certificate  contents,  and  the  security  of  the  sys¬ 
tem  used  to  generate  the  certificate.  In  a  realistic  setting, 
recency  values  of  certificates  need  to  be  normalized.  One 
possibility  is  to  base  the  normalization  on  the  remaining 
lifetime  of  the  certificate  (assuming  the  “not  after”  times  in 
the  validity  specification  were  appropriately  chosen).  Let 
the  lifetime  of  a  certificate  be  L  =  TnoUlfter  -  Tcurrent 
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(provided  the  certificate  is  still  valid,  i.e.,  Tcurrent  is  before 
Tnotjtfter),  and  let  the  recency  of  a  certificate  Cj  be  defined 
by  T* current— Tjgsue  _  in  this  case,  the  semiring  for  recency  is 

(M>o  U  {oo},  min,  max,  oo,  0).6 

Multiple  Security  Policies.  Authorization  policies  may 
be  subject  to  multiple  security  policies.  For  example, 
we  might  wish  to  satisfy  simultaneously  a  most-recent 
certificate-chain  policy  and  a  privacy-preserving  policy. 
One  approach  is  the  policy-priority  approach,  in  which  the 
user  declares  the  order  of  security-policy  priorities;  for  in¬ 
stance,  privacy  may  be  the  first  priority  and  recency  the  sec¬ 
ond  priority.  Such  problems  can  be  addressed  in  the  GAP 
framework,  when  the  component  policies  involve  total  or¬ 
ders,  by  using  pairs  of  values  as  semiring  values — e.g.,  (pri¬ 
vacy,  recency)  values — and  defining  ©  to  be  lexicographic 
minimum  [40,  Section  6.4.1],  The  GAP  framework  can  also 
handle  partially  ordered  component  policies,  as  well  as  the 
situation  where  there  is  no  clear  preference  among  compo¬ 
nent  policies  [40,  Section  6.4.1], 

Trust  Policies.  Several  trust  policies  or  metrics  have  been 
proposed  in  the  literature,  such  as  [7,  31,  35,  36,  50], 
Not  all  trust  metrics  can  be  efficiently  modeled  in  the 
GAP  framework.  For  example,  consider  the  proposed 
Bounded  Disjoint  Paths  (BDP)  and  Bounded  Connective 
Paths  metric,  which  are  are  NP-hard  and  coNP-hard,  re¬ 
spectively  [35],  Thus,  there  is  little  hope  of  finding  an 
efficient  solution  to  these  problems.  We  have  not  investi¬ 
gated  whether  the  approximation  algorithms  [32,  35]  de¬ 
veloped  for  these  problems  are  applicable  in  our  setting. 
Similarly,  the  minimum-capacity-cut  metric  [36]  cannot  be 
easily  formulated  in  our  framework.  Because  BDP  and 
weighted  shortest  paths  are  both  interesting  metrics  in  the 
certificate-chain  context,  one  might  consider  trying  to  use 
a  metric  of  weighted-disjoint-bounded  paths  for  certificate- 
chain  evaluation.  However,  the  weighted-disjoint-bounded- 
paths  problem  has  been  shown  to  be  NP-complete  for  length 
bounds  greater  than  5,  and  approximation  algorithms  are 
NP-hard  [10]. 

8  Related  Work 

A  certificate-chain-discovery  algorithm  for  SPKI/SDSI 
was  first  proposed  by  Clarke  et  al.  [16].  A  credential-chain- 
discovery  algorithm  for  the  role-based  trust  management 
language  RTq  was  presented  by  Li  et  al.  [30].  In  the  proof- 
carrying-authorization  (PCA)  framework  of  Appel  and  Fel- 

6R>0  U  {oo}  has  infinite  descending  chains;  however,  the  only  op¬ 
erations  performed  are  min  and  max,  and  hence  only  a  fi  nite  number  of 
values  ever  arise  in  any  execution.  Consequently,  the  GAP  framework  still 
applies. 


ten  [3],  a  client  uses  the  theorem  prover  Twelf[33]  to  con¬ 
struct  a  proof  of  authorization,  which  the  client  presents  to 
the  server.  To  the  best  of  our  knowledge,  no  one  has  previ¬ 
ously  considered  issues  such  as  privacy  and  trust  in  the  con¬ 
text  of  certificate-chain-discovery  algorithms  for  trust  man¬ 
agement  systems  or  authorization-proof-construction  algo¬ 
rithms  for  PCA.  Our  algorithm  is  based  on  an  algorithm 
for  a  generalized  shortest-path  problem  in  which  weights 
on  edges  are  drawn  from  a  semiring.  This  approach  is  quite 
general,  and  it  is  likely  that  this  approach  applies  to  other 
formalisms  besides  SPKI/SDSI. 

Pushdown  systems  are  related  to  “unrestricted  hierar¬ 
chical  state  machines”,  which  are  collections  of  finite-state 
transition  systems  connected  by  call  and  return  transitions 
[2,  6].  They  are  also  related  to  the  “interprocedural  control- 
flow  graphs”  [43]  and  “exploded  supergraphs”  [37]  used 
in  interprocedural  dataflow  analysis.  Thus,  dataflow  anal¬ 
ysis  is  another  possible  application  of  weighted  PDSs.  The 
algorithm  for  solving  GPR  problems  developed  in  Sec¬ 
tion  6.4  is  related  to  certain  existing  dataflow-analysis  algo¬ 
rithms  [43,  26,  41],  In  particular,  Sagiv  et  al.  showed  how 
to  compute  meet-over-all(-valid)-paths  values  for  multi- 
entry/multi-exit  hierarchically  structured  graphs  [41],  How¬ 
ever,  with  respect  to  previous  work  on  interprocedural 
dataflow  analysis.  Section  6  makes  two  contributions: 

•  Conventional  dataflow-analysis  algorithms  merge  to¬ 
gether  the  values  for  all  configurations  with  the  same 
top-of-stack  symbol.  With  weighted  PDSs,  dataflow 
queries  can  be  posed  with  respect  to  a  regular  language 
of  initial  stack  configurations.  This  provides  a  strict 
generalization  of  the  kind  of  answers  obtainable  via 
ordinary  interprocedural  dataflow-analysis  algorithms. 

•  Because  the  algorithm  for  solving  GPR  problems  can 
provide  a  witness  set  of  paths,  one  can  provide  a  client 
of  the  analysis  algorithm  with  an  explanation  of  why 
the  answer  to  a  dataflow  query  has  the  value  reported. 

The  application  of  weighted  PDSs  for  interprocedural 
dataflow  analysis  is  examined  in  greater  detail  in  [38], 
Model  checking  of  pushdown  systems  has  also  been  used 
for  verifying  security  properties  of  programs  [21,  23,  14], 
Thus,  another  application  of  weighted  pushdown  systems  is 
for  verifying  security  properties  of  programs,  where  the  ver¬ 
ification  process  requires  knowing  interprocedural  dataflow 
information. 

Bouajjani,  Esparza,  and  Toulli  [12]  independently  devel¬ 
oped  a  similar  framework,  in  which  pre*  and  post*  queries 
on  pushdown  systems  with  weights  drawn  from  a  semir¬ 
ing  are  used  to  solve  (overapproximations  of)  reachabil¬ 
ity  questions  on  concurrent  communicating  pushdown  sys¬ 
tems.  Their  method  of  obtaining  weights  on  automaton 
transitions  significantly  differs  from  ours.  Instead  of  de¬ 
riving  the  weights  directly,  they  are  obtained  using  a  fix- 
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point  computation  on  a  matrix  whose  entries  are  the  tran¬ 
sitions  of  the  pre*  automaton.  This  allows  them  to  ob¬ 
tain  weights  even  when  the  semiring  does  have  infinite  de¬ 
scending  chains  (provided  the  extender  operator  is  commu¬ 
tative),  but  leads  to  a  less  efficient  solution  for  the  finite- 
chain  case.  In  the  latter  case,  their  algorithm  has  time  com¬ 
plexity  0(c0  ■  |Q||A|  •  (|Q||A|  +  |  |)2  •  t),  i.e.,  propor¬ 

tional  to  |Q | 3  and  |  A |3.  All  but  one  of  the  semirings  used 
in  [12]  have  only  finite  descending  chains,  so  Algorithm  1 
applies  to  those  cases  and  provides  a  more  efficient  solution. 

A  number  of  trust  policies  or  metrics  have  been  pro¬ 
posed  to  obtain  assurance  on  a  certificate  binding.  The 
most  well-known  notions  stem  from  PGP  [50]  where  each 
user  acts  as  a  certificate  authority  by  creating  certificates 
for  entities  they  trust.  In  a  transitive  manner,  other  cer¬ 
tificate  authorities  (or  “recommendors”)  introduce  new  cer¬ 
tificate  authorities  they  trust  by  creating  other  certificates. 
Assurance  through  this  certificate-chaining  process  is  pro¬ 
vided,  in  part,  by  independent  certificate  paths  [50].  Sub¬ 
sequent  work  studies  network  connectivity  as  another  trust 
metric  [35],  Other  work  studies  metrics  based  on  confi¬ 
dence  valuations  [7,  28,  31],  minimum-capacity  cuts  on  cer¬ 
tificated  edges  that  represent  financial  liabilities  [36],  and  an 
algebra  for  assessing  trust  in  certificate  chains  [25]. 

Private  or  sensitive  information  may  reside  within  cer¬ 
tificates.  This  may  include  names,  roles,  and/or  other  iden¬ 
tifying  information.  Furthermore,  chains  of  authorization 
certificates  tend  to  mirror  organization  structures,  business 
processes,  and  personal  relations,  which  may  also  be  sen¬ 
sitive  [4],  The  principal  making  the  authorization  request 
may  follow  a  privacy  policy  to  control  what  information 
is  disclosed  or  leaked  as  part  of  the  authorization  process. 
Some  flexibility  may  exist  so  that  the  requester  can  choose 
from  an  alternative  set  of  credentials  that  may  be  supplied 
as  part  of  the  proof  of  authorization.  The  certificate  privacy 
problem  is  related  to  the  long  history  of  work  on  informa¬ 
tion  flow  based  on  a  lattice  model  [5,  17],  which  attempts 
to  model  controls  on  the  flow  of  information.  Traditional 
information-flow  policies  stemming  from  the  military  [48] 
are  concerned  with  information-disclosure  policies  under 
which  access  to  data  requires  a  proper  clearance  (mandatory 
access  control)  and  a  need  to  know  (discretionary  access 
control).  We  can  draw  from  this  work  in  the  sense  that  our 
willingness  to  provide  credentials  with  certain  categories  of 
information  are  subject  to  the  current  “discretionary”  ac¬ 
cess  request.  Furthermore,  policies  may  be  based  on  the 
Chinese- Wall  security  policy  [13]  under  which  access  to 
data  is  not  constrained  by  attributes  of  the  data  in  question 
but  by  the  data  to  which  the  subject  already  holds  access 
rights.  However,  the  objective  of  the  current  paper  has  been 
to  demonstrate  a  simple  privacy  metric  that  quantifies  infor¬ 
mation  flow  for  a  certificate  chain. 

Validity  time  periods  have  been  included  in  certificate 


formats  since  the  early  certificate  standards  [47].  The  va¬ 
lidity  of  the  certificate  contents  is  suspect  if  the  current 
time  is  not  within  the  certificate-validity  period.  Certificate- 
revocation  lists  or  directories  can  be  queried  to  determine  if 
the  credentials  are  known  to  be  invalid.  Stubblebine  [44] 
formalizes  the  notion  of  recent-secure  authentication  as  a 
means  for  authenticating  a  channel  subject  to  freshness  con¬ 
straints.  That  work  provides  a  means  for  reasoning  about 
recent-secure  authentication  by  extending  a  calculus  of  au¬ 
thentication  [29].  Rivest  further  develops  the  case  for  flex¬ 
ible  mechanisms  that  support  authentication  subject  to  re¬ 
cency  constraints  [39],  Additional  recency  policies  and 
methods  of  analysis  for  recent-secure  authentication  were 
further  developed  in  a  work  that  provides  a  monotonic  logic 
for  reasoning  about  synchronization,  revocation,  and  re¬ 
cency  [45].  Other  monotonic  logics  for  reasoning  about 
validity  intervals  in  the  SPKI  context  have  also  been  stud¬ 
ied  [22], 
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Appendix 

A  Generation  of  Witness  Sets 

Section  6.4  gives  an  efficient  algorithm  for  determin¬ 
ing  5(c);  this  section  addresses  the  question  of  how  to  ob¬ 
tain  us(c).  It  may  help  to  think  of  this  problem  as  that  of 
examining  an  infinite  graph  Q  whose  nodes  are  pairs  (c,  d), 
where  c  is  a  configuration  and  d  a  value  from  D,  and  in 
which  there  is  an  edge  from  (ci,  d\)  to  (c2,  d2)  labeled  with 
r  6  A  if  and  only  if  ci  C2  and  f{r)  (g>  c?2  =  d\. 

For  a  given  configuration  c,  finding  'jj(c)  means  identifying 
a  set  of  paths  <j\, . . .  ,  crfc  such  that  path  <Jj,  1  <  i  <  k, 
leads  from  some  (c,  di)  to  some  (cj,  1),  where  Cj  G  C,  and 
®  *Li  di  =  5(c).  In  other  words,  w(c)  =  {cri,...  ,  cr*} 
proves  that  5(c)  really  has  the  value  computed  by  Algo¬ 
rithm  1.  We  note  the  following  properties: 

•  In  general,  k  may  be  larger  than  1,  e.g.,  we  might  have 
a  situation  where  5(c)  =  d\  ©  c?2  because  of  two  paths 
with  values  d\  and  d>2,  but  there  may  be  no  single  path 
with  value  di  ®  c?2- 

•  We  want  to  keep  oj(c)  as  small  as  possible.  If  a  wit¬ 
ness  set  contains  two  paths  or  and  02,  where  v{cr\)  C 
v(<J2),  then  the  same  set  without  02  is  still  a  witness 
set. 

Like  5(c),  ut(c)  will  be  given  indirectly  in  the  form  of  an¬ 
other  annotation  (called  n)  on  the  transitions  of  Apre*  ■  We 
use  two  data  structures  for  this,  called  wnode  and  wstruc. 
If  t  is  a  transition,  then  n(f)  holds  a  reference  to  a  wnode. 
(We  shall  denote  a  reference  to  some  entity  e  by  [e].)  A  wn¬ 
ode  is  a  set  of  wstruc  items.  A  wstruc  item  is  of  the  form 
(d,  [f] ,  [r] ,  N)  where  d  G  D,  [t]  is  a  reference  back  to  t, 
r  £  A  is  a  rule,  and  N  contains  a  sequence  of  references  to 
wnode s.  References  may  be  nil,  indicating  a  missing  refer¬ 
ence. 

We  can  now  extend  Algorithm  1.  The  idea  is  that  dur¬ 
ing  execution,  if  nit)  =  [5],  then  l(t)  =  (B(d>[t],[r],N)eS  d. 
An  item  (5,  [f],  [r],  N )  in  S  denotes  the  following:  Suppose 
that  Avre *  has  an  accepting  path  starting  with  t,  and  c  is  the 
configuration  accepted  by  this  path.  Then,  in  the  pushdown 
system,  there  is  a  path  (or  rather,  a  family  of  paths)  with 
value  d  from  c  to  some  d  G  C,  and  this  path  starts  with  r. 
An  accepting  path  (in  Apre »)  for  a  successor  configuration 


Algorithm  2 

1  procedure  update(t,  r,  T ) 

2  begin 

3  —>;=—>  U  {f}; 

4  d:=/(r)®((T(l))®...®Z(T(|r|)); 

5  s  :=  (d,  [t],[r\,{n{t')  \  t'  G  T)); 

6  iff®  C  d  then  return; 

7  if  n(t)  =  nil  or  del  (t)  then 

8  create  n  :=  {s}; 

9  else 

10  create  n  :=  minimize{ S  U  {s}), 

1 1  where  n(t)  =  [5] ; 

12  n{t)  :=  [n]; 

13  ((f)  :=  l{t)  ©5; 

14  workset.  :=  workset  U  {f} 

15  end 

Figure  8.  Modified  update  procedure. 

can  be  constructed  by  replacing  t  with  the  transitions  asso¬ 
ciated  with  the  wnode s  in  N. 

The  concrete  modifications  to  Algorithm  1  are  as  fol¬ 
lows:  In  line  8,  set  n  =  nil.  In  line  9,  create  a  wnode 
n  :=  {(1,  [f],  nil,  ())}  for  every  t  G  — >o  andset?r(f)  :=  [n]. 

Figure  8  shows  a  revised  update  procedure.  Line  4  of 
Figure  8  computes  the  newly  discovered  value  for  transi¬ 
tion  t,  and  line  5  records  how  the  new  path  was  discovered. 
In  line  6,  if  lit)  C  d,  the  update  will  not  change  ((f)  and 
nothing  further  needs  to  be  done.  If  d  C  ((f)  (see  line  8), 
the  new  addition  is  strictly  smaller  than  any  path  to  f  so  far, 
and  n(f)  only  has  to  reference  the  new  path.  If  d  and  ((f) 
are  incomparable,  line  1 1  creates  a  new  set  consisting  of  the 
previous  paths  and  the  new  path.  Even  though  d  is  incompa¬ 
rable  to  ((f),  d  might  approximate  (C)  one  or  more  elements 
of  S.  The  procedure  minimize  (not  shown)  removes  these. 

It  is  fairly  straightforward  to  see  that  the  information 
contained  in  S  allows  the  reconstruction  of  a  witness  set  in¬ 
volving  f  (see  above).  Moreover,  every  wnode  created  dur¬ 
ing  execution  contains  references  only  to  wnode s  created 
earlier.  Therefore,  the  process  of  reconstructing  the  witness 
set  by  decoding  wnode/wstruc  information  must  eventually 
terminate  in  a  configuration  from  C. 

During  execution  of  the  modified  algorithm,  several  wn- 
ode s  for  the  same  transition  f  can  be  created;  only  one 
of  them  is  referenced  by  f  at  any  moment,  although  the 
other  wnode s  may  still  be  referenced  by  other  transitions. 
A  garbage  collector  can  be  used  to  keep  track  of  the  refer¬ 
ences  and  remove  those  nodes  to  which  there  is  no  longer 
any  chain  of  references  from  any  transition. 

In  the  totally  ordered  case  described  in  Section  6.5,  every 
wnode  can  contain  exactly  one  wstruc. 
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